Snort mailing list archives
Is this possible answer to the problem?
From: Peter Rodger <prodger2008 () yahoo com>
Date: Wed, 26 Oct 2005 11:48:35 -0700 (PDT)
Hi All, The below is the part of output from snort -c -l Ypu can tell 60% packets are dropped. could this be the reason I can not suppress suppress gen_id 122, sig_id 27 suppress gen_id 122, sig_id 19 suppress gen_id 119, sig_id 4 Even I changed only span one VLAN, still 60-70% packets are dropped. Snort received 14747 packets Analyzed: 6016(40.795%) Dropped: 8731(59.205%) =============================================================================== Breakdown by protocol: TCP: 5955 (40.381%) UDP: 52 (0.353%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 6 (0.041%) DISCARD: 0 (0.000%) **************************************************** The whole output: D:\win-ids\Snort\bin>snort -c "d:\win-ids\snort\etc\snort.conf" -l "d:\win-ids\s nort\log" Running in IDS mode Initializing Network Interface \Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9 } --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface \Device\NPF_{068F010E-6C94-4163-9C52-15551BFD66A9 } Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file d:\win-ids\snort\etc\snort.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ,-----------[Flow Config]---------------------- | Stats Interval: 0 | Hash Method: 2 | Memcap: 10485760 | Rows : 4099 | Overhead Bytes: 16400(%0.16) `---------------------------------------------- No arguments to frag2 directive, setting defaults to: Fragment timeout: 60 seconds Fragment memory cap: 4194304 bytes Fragment min_ttl: 0 Fragment ttl_limit: 5 Fragment Problems: 0 Self preservation threshold: 500 Self preservation period: 90 Suspend threshold: 1000 Suspend period: 30 Stream4 config: Stateful inspection: ACTIVE Session statistics: INACTIVE Session timeout: 30 seconds Session memory cap: 8388608 bytes State alerts: INACTIVE Evasion alerts: INACTIVE Scan alerts: INACTIVE Log Flushed Streams: INACTIVE MinTTL: 1 TTL Limit: 5 Async Link: 0 State Protection: 0 Self preservation threshold: 50 Self preservation period: 90 Suspend threshold: 200 Suspend period: 30 Enforce TCP State: INACTIVE Midstream Drop Alerts: INACTIVE Stream4_reassemble config: Server reassembly: INACTIVE Client reassembly: ACTIVE Reassembler alerts: ACTIVE Zero out flushed packets: INACTIVE flush_data_diff_size: 500 Ports: 21 23 25 53 80 110 111 143 513 1433 Emergency Ports: 21 23 25 53 80 110 111 143 513 1433 HttpInspect Config: GLOBAL CONFIG Max Pipeline Requests: 0 Inspection Type: STATELESS Detect Proxy Usage: NO IIS Unicode Map Filename: d:\win-ids\snort\etc\unicode.map IIS Unicode Map Codepage: 1252 DEFAULT SERVER CONFIG: Ports: 80 8080 8180 Flow Depth: 300 Max Chunk Length: 500000 Inspect Pipeline Requests: YES URI Discovery Strict Mode: NO Allow Proxy Usage: NO Disable Alerting: NO Oversize Dir Length: 500 Only inspect URI: NO Ascii: YES alert: NO Double Decoding: YES alert: YES %U Encoding: YES alert: YES Bare Byte: YES alert: YES Base36: OFF UTF 8: OFF IIS Unicode: YES alert: YES Multiple Slash: YES alert: NO IIS Backslash: YES alert: NO Directory Traversal: YES alert: NO Web Root Traversal: YES alert: YES Apache WhiteSpace: YES alert: NO IIS Delimiter: YES alert: NO IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG Non-RFC Compliant Characters: NONE rpc_decode arguments: Ports to decode RPC on: 111 32771 alert_fragments: INACTIVE alert_large_fragments: ACTIVE alert_incomplete: ACTIVE alert_multiple_requests: ACTIVE telnet_decode arguments: Ports to decode telnet on: 21 23 25 119 Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: Low Memcap (in bytes): 10000000 Number of Nodes: 36900 Using LOCAL time alert_syslog output processor is defaulting to syslog server on 127.0.0.1 port 5 14! database: compiled support for ( mysql odbc mssql ) database: configured to use mssql database: database name = snort database: user = snort database: password is set database: host = localhost database: port = 1433 database: sensor name = TESTIDS:\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD6 6A9} database: SQL Server message 5701, state 2, severity 0: Changed database context to 'snort'. Server 'TESTIDS', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'TESTIDS', Line 1 database: sensor id = 1 database: inconsistent cid information for sid=1 Recovering by rolling forward the cid=45184 database: schema version = 106 database: using the "log" facility database: compiled support for ( mysql odbc mssql ) database: configured to use mssql database: database name = snort database: user = snort database: password is set database: host = localhost database: port = 1433 database: sensor name = TESTIDS:\Device\NPF_{068F010E-6C94-4163-9C52-15551BFD6 6A9} database: SQL Server message 5701, state 2, severity 0: Changed database context to 'snort'. Server 'TESTIDS', database: SQL Server message 5701, state 1, severity 0: Changed database context to 'snort'. Server 'TESTIDS', Line 1 database: sensor id = 1 database: schema version = 106 database: using the "alert" facility 2111 Snort rules read... 2111 Option Chains linked into 191 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ Warning: flowbits key 'http.jpeg' is checked but not ever set. Warning: flowbits key 'ms_sql_seen_dns' is checked but not ever set. Warning: flowbits key 'realplayer.playlist' is checked but not ever set. +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=1 sig-id=3273 type=Threshold tracking=src count=5 seconds= 2 | gen-id=1 sig-id=3542 type=Threshold tracking=src count=5 seconds= 2 | gen-id=1 sig-id=3543 type=Threshold tracking=src count=5 seconds= 2 | gen-id=1 sig-id=3527 type=Limit tracking=dst count=5 seconds= 60 | gen-id=1 sig-id=2275 type=Threshold tracking=dst count=5 seconds= 60 | gen-id=1 sig-id=3152 type=Threshold tracking=src count=5 seconds= 2 | gen-id=1 sig-id=2523 type=Both tracking=dst count=10 seconds= 10 +-----------------------[suppression]------------------------------------------ | gen-id=1 sig-id=466 tracking=dstip=0.0.0.0 mask=0.0.0.0 | gen-id=1 sig-id=1070 tracking=dstip=0.0.0.0 mask=0.0.0.0 | gen-id=1 sig-id=882 tracking=dstip=0.0.0.0 mask=0.0.0.0 | gen-id=119 sig-id=4 tracking=dstip=0.0.0.0 mask=0.0.0.0 | gen-id=122 sig-id=27 tracking=dstip=0.0.0.0 mask=0.0.0.0 | gen-id=122 sig-id=19 tracking=dstip=0.0.0.0 mask=0.0.0.0 +------------------------------------------------------------------------------ Rule application order: ->activation->dynamic->alert->pass->log Log directory = d:\win-ids\snort\log --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.3.0-ODBC-MySQL-MSSQL-FlexRESP-WIN32 (Build 10) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2004 Sourcefire Inc., et al. =============================================================================== Snort received 14747 packets Analyzed: 6016(40.795%) Dropped: 8731(59.205%) =============================================================================== Breakdown by protocol: TCP: 5955 (40.381%) UDP: 52 (0.353%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 6 (0.041%) DISCARD: 0 (0.000%) =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== TCP Stream Reassembly Stats: TCP Packets Used: 5955 (40.381%) Stream Trackers: 403 Stream flushes: 223 Segments used: 453 Stream4 Memory Faults: 0 =============================================================================== Final Flow Statistics ,----[ FLOWCACHE STATS ]---------- Memcap: 10485760 Overhead Bytes 16400 used(%0.760622)/blocks (79757/432) Overhea d blocks: 1 Could Hold: (71331) IPV4 count: 431 frees: 0 low_time: 1130348993, high_time: 1130349005, diff: 0h:0 0:12s finds: 6516 reversed: 0(%0.000000) find_sucess: 2341271307 find_fail: 1078269480 percent_success: (%0.000000) n ew_flows: 439 Protocol: 6 (%99.125230) finds: 6459 reversed: 0(%0.000000) find_sucess: 3354050943 find_fail: 1078272036 percent_success: (%0.000000) new _flows: 420 Protocol: 17 (%0.828729) finds: 54 reversed: 0(%0.000000) find_sucess: 636291451 find_fail: 1078040500 percent_success: (%0.000000) new_ flows: 17 Protocol: 88 (%0.046041) finds: 3 reversed: 0(%0.000000) find_sucess: 0 find_fail: 0 percent_success: (%0.000000) new_flows: 2 database: Closing connection to database "" database: Closing connection to database "" Snort exiting Thank you, Peter __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is this possible answer to the problem? Peter Rodger (Oct 26)